message decompressor to incorrectly allocate memory

bionic - cve-2019-20925 message decompressor to incorrectly allocate memory.

cve-2019-20925-focal message decompressor to incorrectly allocate memory.

The attachment "CVE-2019-20925-bionic-20210702.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Status changed to 'Confirmed' because the bug affects multiple users.

reattaching corrected debdiffs

focal decompressor security fix, reattched for updated quilt header and changelog

redo patch add CVE tag and update dch and quilt header

redo debdiff for pulling from 3.4 not 3.6
https://github.com/mongodb/mongo/commit/c1a956e084d39e6da75cd347e63d0064ed9151a8

rename patch to CVE-2019-20925-SERVER

focal cve-2019-20925

Hi,

Does anyone need anything else from me from the security side?

Is there a status update or a document showing this is being tracked on a TODO list?

Thanks,
Heather Lemon

There's a whole slew of CVEs that are shown to be open in bionic and focal:

https://ubuntu.com/security/cve?q=&package=mongodb&priority=&version=&status=

Is there a reason you only picked this one? If that's on purpose, I'll sponsor the debdiffs this week.

ACK on the debdiffs in comments #11 and #12. I've uploaded packages for building in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Could you please test them once they've finished building, and I'll release them as security updates. Thanks!

Yeah will do Thanks!

Hi Marc, this was actually supposed to go with this other LP https://bugs.launchpad.net/ubuntu/bionic/+source/mongodb/+bug/1934518 but Alex and I missed this one. It got dropped at some point I think we were too focused on the other one.
Thanks!

This bug was fixed in the package mongodb - 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3

---------------
mongodb (1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3) focal-security; urgency=medium

  * SECURITY UPDATE: message decompressor to incorrectly allocate memory (LP: #1933520)
    - d/p/CVE-2019-20925-SERVER-43751-Recompute-compressor-manager-message-pa.patch:
      An unauthenticated client can trigger denial of service by
      issuing specially crafted wire protocol messages,
      which cause the message decompressor to incorrectly allocate memory
    - CVE-2019-20925

 -- Heather Lemon <email address hidden> Thu, 26 Aug 2021 14:36:35 +0000

This bug was fixed in the package mongodb - 1:3.6.3-0ubuntu1.4

---------------
mongodb (1:3.6.3-0ubuntu1.4) bionic-security; urgency=medium

  * d/p/CVE-2019-20925-SERVER-43751-Recompute-compressor-manager-message-pa.patch
    Recompute compressor manager message parameters. (LP: #1933520)

 -- Heather Lemon <email address hidden> Tue, 03 Aug 2021 20:57:49 +0000